Integration with X.500

True integration with an X.500 directory can be extremely hard to achieve. There are multiple reasons for this. First, there are not many X.500 directories in production today. This is because the X.500 standard is cumbersome to deploy and manage. Second, the Directory Access Protocol requires a lot of overhead and is difficult to configure.

Consequently, one of the best ways to integrate with an X.500 directory is to find an X.500 directory that supports LDAP and that uses LDAP as the protocol for reading and writing data between Active Directory and the X.500 directory. This type of directory architecture has been used for the past several years as LDAP has gained more popularity. Without exception, all the major X.500 directory services on the market today support LDAP (see Figure 3.8).

If you are planning for integration and coexistence between Active Directory and an existing X.500 directory, it is likely that the directory interchange architecture and Active Directory structure are derived from the existing X.500 directory structure. This is because X.500 directories are typically designed and developed from the top down. Because of this, the directory structure can be rigid and difficult to modify. This is not to say, however, that the Active Directory structure will be the same as the existing X.500 directory structure. If implementing Active Directory in an environment that already has a directory in place, it is important to consider implementing the best design for a directory—not to simply mirror what is already in place.

Active Directory hierarchies and the best design properties for that hierarchy are discussed later in the book. That discussion focuses primarily on establishing a simple hierarchy. In many cases, X.500 hierarchies are multi-layered and can be complicated in nature.